BUUCTF--[BJDCTF2020]easy

测试文件：https://www.lanzous.com/ib50fkb

 

文件分析

IDA打开后，在Function Window里面找到ques()函数就是输出我们的flag。我们可以通过调试修改EIP地址到ques函数(0x00401520)输出flag

int ques()
{
  int v0; // edx
  int result; // eax
  int v2[50]; // [esp+20h] [ebp-128h]
  int v3; // [esp+E8h] [ebp-60h]
  int v4; // [esp+ECh] [ebp-5Ch]
  int v5; // [esp+F0h] [ebp-58h]
  int v6; // [esp+F4h] [ebp-54h]
  int v7; // [esp+F8h] [ebp-50h]
  int v8; // [esp+FCh] [ebp-4Ch]
  int v9; // [esp+100h] [ebp-48h]
  int v10; // [esp+104h] [ebp-44h]
  int v11; // [esp+108h] [ebp-40h]
  int v12; // [esp+10Ch] [ebp-3Ch]
  int j; // [esp+114h] [ebp-34h]
  __int64 v14; // [esp+118h] [ebp-30h]
  int v15; // [esp+124h] [ebp-24h]
  int v16; // [esp+128h] [ebp-20h]
  int i; // [esp+12Ch] [ebp-1Ch]

  v3 = 2147122737;
  v4 = 140540;
  v5 = -2008399303;
  v6 = 141956;
  v7 = 139457077;
  v8 = 262023;
  v9 = -2008923597;
  v10 = 143749;
  v11 = 2118271985;
  v12 = 143868;
  for ( i = 0; i <= 4; ++i )
  {
    memset(v2, 0, sizeof(v2));
    v16 = 0;
    v15 = 0;
    v0 = *(&v4 + 2 * i);
    LODWORD(v14) = *(&v3 + 2 * i);
    HIDWORD(v14) = v0;
    while ( SHIDWORD(v14) > 0 || v14 >= 0 && (_DWORD)v14 )
    {
      v2[v16++] = ((SHIDWORD(v14) >> 31) ^ (((unsigned __int8)(SHIDWORD(v14) >> 31) ^ (unsigned __int8)v14)
                                          - (unsigned __int8)(SHIDWORD(v14) >> 31)) & 1)
                - (SHIDWORD(v14) >> 31);
      v14 /= 2LL;
    }
    for ( j = 50; j >= 0; --j )
    {
      if ( v2[j] )
      {
        if ( v2[j] == 1 )
        {
          putchar(42);
          ++v15;
        }
      }
      else
      {
        putchar(32);
        ++v15;
      }
      if ( !(v15 % 5) )
        putchar(32);
    }
    result = putchar(10);
  }
  return result;
}

 

get flag!

flag{HACKIT4FUN}